問題描述

我有需要 Azure AD 不記名身份驗證的 API.

I have APIs that require Azure AD bearer authentication.

public void ConfigureAuth(IAppBuilder app)
{
   app.UseWindowsAzureActiveDirectoryBearerAuthentication(
      new WindowsAzureActiveDirectoryBearerAuthenticationOptions
      {
         // ...
      });
}

是否可以查詢 Azure AD(可能使用 Graph API)來確定調(diào)用用戶的組信息?此處的最終目標是將基于角色的安全性應(yīng)用于 API 方法/控制器，如下所示(或類似).

Is it then possible to query Azure AD - perhaps using the Graph API - to determine the group information of the calling user? The end goal here is to apply role-based security to the API methods/controllers, as below (or similar).

[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]

另外，身份信息是如何以及在哪里應(yīng)用到執(zhí)行線程的?

Additionally, how and where is the identity information applied to the executing thread?

推薦答案

最近，您可以使用角色聲明和/或組聲明來執(zhí)行此操作.如果您有一個受承載身份驗證保護的 Web API(如 此處的示例)，您可以配置 API，以便訪問令牌包含組和/或角色聲明.

As of recently, you can use Role Claims and/or Group Claims to do so. If you have a web API protected with bearer authentication (like in the sample here), you can configure the API so that access tokens contain Group and/or Role claims.

OWIN 中間件將讀取 JWT 不記名令牌中的聲明，并在 System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler 中使用適當?shù)穆暶魈畛?ClaimsIdentity (來源).

The OWIN middleware will read the claims in the JWT bearer token and populate the ClaimsIdentity with appropriate claims, in the System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler (source).

要配置您的 API 以接收組聲明，您需要編輯應(yīng)用程序清單的 "groupMembershipClaims" 屬性，其值為 "All" 或 本示例(分別包含或排除分發(fā)列表)a>，它使用組聲明將基于角色的安全性應(yīng)用到使用 [Authorize] 標記的 Web 應(yīng)用程序.

To configure your API to receive Group Claims, you need to edit the "groupMembershipClaims" property of the application manifest with a value of "All" or "SecurityGroups" (distribution lists included or excluded, respectively) as shown in this sample, which uses Group Claims to apply role-based security to a web app using the [Authorize] tag.

要配置您的 API 以接收角色聲明，您還需要編輯清單，在 "appRoles" 屬性中定義應(yīng)用程序角色，如 此示例(鏈接尚未激活 - 它將在接下來的幾天內(nèi))，它使用角色聲明來執(zhí)行相同的操作.定義應(yīng)用程序角色后，您可以在 Azure 門戶中或通過 GraphAPI 將用戶和組分配給這些角色.請注意，由于 AAD 發(fā)出的聲明屬于 "roles" 類型，因此您需要將 RoleClaimType 設(shè)置為:

To configure your API to receive Role Claims, you also need to edit the manifest, defining Application Roles in the "appRoles" property as shown in this sample (link not yet active - it will be in the next few days), which uses Role Claims to do the same. Once you have defined Application Roles, you can assign users and groups to those roles in the Azure Portal or via the GraphAPI. Note because the claims emitted by AAD are of type "roles", you will need to set the RoleClaimType as:

new WindowsAzureActiveDirectoryBearerAuthenticationOptions  
{  
   ...
   TokenValidationParameters = new TokenValidationParameters {  
       RoleClaimType = "roles",  
   },  
   ...  
}

這篇關(guān)于使用 JWT 檢索 Azure AD 組信息的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！